LATERAL MOVEMENT DETECTION

LATERAL MOVEMENT GENERATES DETECTABLE MALWARE ACTIVITY

No organization is immune from malware attacks. While malware can penetrate networks through a variety of ways (email phishing, a compromised external drive, an infected personal device, an IT misconfiguration, etc.), once it has gained entry the attack will typically evolve through the different stages of the cyber kill chain. It carries out early reconnaissance, creates a state of persistence, seeks access to the outside world through a Command & Control server, and then initiates a series of lateral movements (access to resources, propagation, privileges, etc.), until it reaches its final goal of data exfiltration, data destruction, or demand for ransom. During the lateral movements phase, an attack generates specific types of network traffic and it is here that it becomes most vulnerable to detection using Deep Packet Inspection (DPI).

“The Cyber Kill Chain”

HOW QOSMOS INSIDE SOLVES THE PROBLEM

The specific types of network traffic generated by malware as it gathers valuable information for exfiltration during the lateral movement phase are what make it most vulnerable for detection. However, management of the huge amounts of data required to analyze traffic in adequate detail requires considerable resources and can slow malware detection, compromising system security. This is often complicated by the high number of false positives it generates.

Qosmos ixEngine analyzes data flows in real-time based on advanced DPI technology. It uses an extensive library of over 3200 protocols and has the ability to extract up to 5000 application metadata in order to distinguish abnormal network-based lateral movements, from legitimate activity. It provides cyber security solutions with a granular view of network traffic allowing them to map data movements and understand file content. In addition, Qosmos ixEngine analyses traffic in real-time and has negligeable impact on system resources, raising solution performance and speeding intrusion detection.

QOSMOS IXENGINE CAN HELP DETECT ABNORMAL NETWORK TRAFFIC SUCH AS:

File shares

Port scan

Windows Management Instrumentation (WMI)

Active directory & admin shares

ARP spoofing

As a result, network-based lateral movements are rapidly detected allowing rapid containment of attacks and remediation. The protocol information and metadata can also be used to improve the results of user behavior analysis and machine learning, and to enable mitigation at each stage of the kill chain, improving the effectiveness of security solutions.